Memorandum of Understanding 


Reporting Alleged Breaches of Section 56, Data Protection Act 


1998 


The Information Commissioner 
and 
ACRO Criminal Records Office 


Introduction 


Le 


This Memorandum of Understanding (MoU) establishes a framework 
for co-operation and information sharing between ACRO and the 
Information Commissioner (the Commissioner) in connection with 
the sharing or relevant information and intelligence, set out at 15 
below. It sets out the role of each organisation and documents the 
practical working level arrangements between the Commissioner 
and ACRO. 


The Commissioner and ACRO will monitor the operation of this 
memorandum and will review it, initially after six months from the 
date of this document, and subsequently from time to time as 
necessary. 


Any changes to this memorandum identified between reviews may 
be agreed in writing between the parties. 


Any issues arising in relation to this memorandum will be notified to 
the point of contact for each organisation (referred to in 25 below). 


This memorandum is a statement of intent that does not give rise to 
legally binding obligations on the part of either the Commissioner or 
ACRO. 


Functions and powers of Commissioner 


6. 


The Commissioner is a corporation sole appointed by Her Majesty 
the Queen under the Data Protection Acts 1984 and 1998 to act as 
the UK’s independent regulator promoting public access to official 
information and protecting personal data. 


The Commissioner regulates the Data Protection Act 1998 (DPA), 
the Freedom of Information Act 2000 (FOIA), the Privacy and 
Electronic Communications (EC Directive) Regulations 2003 (PECR), 


10. 


the Environmental Information Regulations 2004 (EIR) and the 
INSPIRE Regulations 2009. 


Section 51 of the DPA places a duty on the Commissioner to 
Promote the following of good practice by data controllers and the 
observance of the requirements of the DPA by organisations. 


Where the Commissioner is satisfied that any of the data protection 
principles have been breached, a number of steps can be taken to 
seek to change the behaviour of the organisation including: 
serving information notices requiring organisations to provide the 
Information Commissioner’s Office with specified information 
within a certain time period; 
issuing undertakings committing an organisation to a particular 
course of action in order to improve its compliance; 
serving enforcement notices where there has been a breach, 
requiring organisations to take (or refrain from taking) specified 
steps in order to ensure they comply with the law; 
conducting consensual assessments to check organisations are 
complying; and 
issuing monetary penalty notices, requiring organisations to pay 
up to £500,000 for serious breaches. 


The Commissioner may also prosecute those who commit criminal 
offences under the DPA. 


Functions of ACRO 


I1. 


12. 


13. 


ACRO was founded in 2006 following a decision by the Association 
of Chief Police Officers to establish an operationally focussed unit 
that would organise the management of criminal record information 
and improve the links between criminal records and biometric 
information. 


Following agreement between ACPO on behalf of Chief Constables, 
and ACRO, the ACRO National Subject Access Team (NSAT) 
processes Subject Access Requests (National Checks) from 
applicants for their sensitive personal data which may be held on 
the Police National Computer (the PNC). ACRO is a Data Controller 
in Common in respect of personal data held on the PNC along with 
Chief Constables. 


The PNC is a national police database that holds information on 
persons, vehicles and property for all police forces in England, 
Wales, Northern Ireland, Scotland, Jersey, Guernsey and the Isle of 
Man. It contains a number of different applications and each force is 
responsible for the maintenance of its own data held within those 
applications. The PNC applications for which ACRO will 


14. 


provide subject access responses are the Person Record relating to 
the data subject. 


For the purposes of this agreement, from 10 March 2015, the 
information to be exchanged with the Commissioner will be 
generated by NSAT. 


Cooperation between ACRO and the Commissioner 


15. 


16. 


17. 


18. 


Since its inception, NSAT has had concerns over possible cases of 
enforced Subject Access. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
ACRO agree that NSAT will alert the Commissioner to any potential 
breaches of Section 56 of the DPA discovered whilst undertaking it’s 
duties, and provide relevant supporting information and intelligence. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and his discretion, the 
Commissioner agrees that he will alert ACRO to any potential 
breaches of Section 56 of the DPA, or information relevant to the 
aims set out at 11 above, discovered whilst undertaking their 
duties, and provide relevant supporting information. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
both parties will: 


a) Communicate regularly to discuss matters of mutual interest 
(this may involve participating in multi-agency groups to 
address common issues and threats); and 


b) Consult one another on any issues which might have 
significant implications for the other organisation. 


Sharing information 


19, 


20. 


Subject to any disclosure restrictions applicable to ACRO, they may 
disclose confidential information to the Commissioner to facilitate 
the carrying out an investigation under Section 56 of the DPA, as 
set out in 14 and 16 above. 


Where ACRO wishes to disclose to the Commissioner information 
necessary for the discharge by the Commissioner of his functions 
under the DPA, section 58 DPA provides that no enactment or rule 
of law prohibiting or restricting the disclosure of information 

shall preclude ACRO from furnishing such information to the 


241. 


22 


23; 


24. 


Commissioner. 


In respect of information obtained by or furnished to the 
Commissioner for the purposes of his functions under the 
Information Acts, it is an offence under section 59 DPA for any 
current of former member of the Commissioner's staff or his agent 
to disclose such information without lawful authority. 


Section 59(2)(e) DPA provides that a disclosure by the 
Commissioner of information obtained by or furnished to him is 
made with lawful authority where, having regard to the rights and 
freedoms or legitimate interests of any person, the disclosure is 
necessary in the public interest. 


In addition, section 59(2)(d) DPA provides that a disclosure of 
information by the Commissioner is made with lawful authority 
where the disclosure is made for the purposes of any proceedings, 
whether criminal or civil. 


The Commissioner may, at his discretion and in accordance with 
sub-sections 59(2)(d) and/or (e) DPA, disclose confidential 
information to ACRO, where this is necessary for performing the 
functions set out at 8 and/or 9 above. 


Points of contact 


25. 


ACRO | Information Commissioner 


Kelly Glitheroe, Bureau Deputy Manager | Adam Stevens, Intelligence 


Hub Manager 


PO Box 481 Wycliffe House 
Fareham Water Lane 
Hampshire Wilmslow 


PO14 9FS SK9 SAF 


The Information Commissioner 


(Signature (Signature) 


Ian Readhead Christopher Graham 
Chief Executive ACRO Information Commissioner 
National Director of Information 
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